Changeset 1483

Timestamp:

Feb 22, 2010, 3:09:49 AM (14 years ago)

Author:

geofft

Message:

__scripts/needcerts: Add support for working around Safari

Safari on Mac OS X (or more properly, CFNetwork and the rest of the SSL
stack) doesn't properly support SSLVerifyClient Optional, which is our
default for :444. In particular, if you don't have an identity
preference set, only SSLVerifyClient Require will trigger the dialog to
set an identity preference and present a certificate to the site:

http://lists.apple.com/archives/apple-cdsa/2009/Apr/msg00041.html

We can work around this by checking for the Safari user-agent in
/__scripts/needcerts and renegotiating SSLVerifyclient Require. Forcing
the Require behavior on Safari users that reach this page is reasonable
because this page is only (supported to be) reached as an ErrorDocument
401; if you're intentionally using AuthOptional on to take advantage of
the optional authentication, you'll never trigger the 401 error.

File:

• trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf (modified) (1 diff)

trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf

@@ -29 +29 @@
     RewriteRule ^ https://%{SERVER_NAME}:444%1 [L,R]
 
+    RewriteCond %{HTTP_USER_AGENT} Mac\ OS\ X.*AppleWebKit
+    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts(.*) /__scripts/safarihack$1 [L]
+
     RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts(.+) $1 [L]
     RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts /__scripts/unauthorized.html [L]
 </Location>
+
+<Location /__scripts/safarihack>
+    SSLVerifyClient require
+    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/safarihack(.+) $1 [L]
+    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/safarihack /__scripts/unauthorized.html [L]
+</Location>